set block-policy drop
set loginterface egress
set loginterface em0
set loginterface em2
set limit { states 1000000, src-nodes 100000, tables 1000000, table-entries 1000000 }
set skip on { lo0, $int_if }
match in log all scrub (no-df)
# NAT
match out log on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick inet6 all
block out quick inet6 all
block in log all
pass out log inet keep state
pass in log on { $int_if }

Your new rules do not use the -b option of ftp-proxy, as the PF User's Guide recommended. It is my guess that you will want this set to your external 50.x.x.x

Code:

-b address
Address where the proxy will listen for redirected control
connections. The default is 127.0.0.1, or ::1 in IPv6 mode.

The guide states (highlight mine):

Quote:

Edit /etc/rc.conf.local and add the following:

ftpproxy_flags="-R 10.10.10.1 -p 21 -b 192.168.0.1"

Here 10.10.10.1 is the IP address of the actual FTP server, 21 is the port we want ftp-proxy(8) to listen on, and 192.168.0.1 is the address on the firewall that we want the proxy to bind to.

You asked:

Quote:

What I fail to understand is how/why the old gateway works fine but the new settings do not.

Your older system was OpenBSD 4.7. As I mentioned above, at 5.0 ftp-proxy changed. Both your use of the proxy and PF rules should have been revisited, and I'm sorry you mised it. Here's a link to the section from the 5.0 Upgrade Guide that describes the change, which I have excerpted below for your convenience.

Quote:

PF changes requiring changes to your pf.conf rules

ftp-proxy(8) and tftp-proxy(8) have changed: They now use divert-to instead of rdr-to, which improves performance. Old rules like these:

Your reply was very welcome. And it actually cleared up a few questions that I had. Thank-you.

I have removed the -b option so now the ftp-proxy command looks like this:

ftp-proxy -d -D7 -v -p 8022 -R 192.168.0.101 -P 21 -r

While I stated that [begin whine mode] I don't understand why this isn't working [/end whine mode], I actually do understand that the syntax and commands have changed. I know that the old rule-set won't work as a copy/paste. I was just trying to express some frustration, and I am sorry that i took it out on you.

As best I can tell the communication between server & client is failing after the client logs in, and the server tries switching to a new port (PASV mode).

The -R option sets the proxy in reverse mode, to support a server through NAT rather than clients. The address listed is the address of the server on your private LAN.

The -p option instructs the ftp-proxy to listen on port 21, as it will act as the FTP server to clients on the Internet.

The -b option instructs the proxy to listen to this external address. In my test, I selected one of the alias addresses I'd assigned to the firewall's Internet facing NIC.

No port redirection rules are needed in PF to support this traffic. The ftp-proxy application listens to an address on the external NIC port 21 and routes that traffic through to the FTP server's port 21.